Articles

If your company is considering implementing an information security management system (ISMS) for purposes of ISO 27001 certification, company officials may have already done a cursory internet search on ISO 27001 training. Certification training occurs on three different levels, depending on an individual's involvement in the ISMS or certification process. The following information is a general overview of the three levels of ISO 2007 training.

The Auditing Level

Before a company can be ISO 27001 certified, it must first develop and implement an ISMS which is then audited by an accredited certification agency. The agency will send a team of auditors to perform the review, headed up by a Lead Auditor. Both the Lead Auditor and his subordinates have been trained and certified to perform their tasks.

For the Lead Auditor specifically, his certification requires a minimum of forty hours of classroom instruction, passage of a written exam, and a certain amount of experience working on other projects as a subordinate auditor. Successful completion of the classroom and exam portions do not, on their own, allow auditors to claim Lead Auditor credentials. Verifiable work experience is a must.

The Implementation Level

At the implementation level, training is provided both to individuals at the company implementing the ISMS, and external contractors who provide security implementation services. The Leader Implementer credentials are given to individuals who have been certified to implement ISMSs according to ISO 27001 standards. Training may or may not be provided by an accredited organization. In the case of non-accredited training agencies, their programs may be ISO 27001 certified. In such cases their Lead Implementer certification can be trusted as though they were accredited.

The Company Level

At the company level, ISO 27001 training occurs in two areas. The first is the position of Certified Information Security Manager (CISM). This position is usually held by the senior management member in charge of company security. Where the ISMS is concerned, the CISMs main responsibility is to perform routine risk assessments and deal with information security incidents. CISM certification is the domain of the Information Systems Audit and Control Association (ISACA). It is given with five years experience in information security management and passage of a written exam.

The second company-level training program is aimed at those who manage the day-to-day operations of an ISMS. These individuals are known as Systems Security Certified Practitioners (SSCP). While SSCP certification can be earned by third-party contractors, at the company level it is normally awarded to database administrators, IT managers, software engineers, systems analysts, department heads, and mid-level security personnel. There are seven area-specific training regimens which can earn certification when combined with one year of verifiable work experience, a clean background check, passage of a written exam, and a recommendation from another certified practitioner.

ISO 27001 training is available in most major metropolitan areas. Before contracting for any training services, be sure to check the agencies in your area for accreditation and reputation. With the right training, your ISO 27001 project will be largely successful.